The Hacker News — Cyber Security, Hacking, Technology News

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides in the way "load-scripts.php," a built-in script in WordPress CMS, processes user-defined requests.

For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance and load page faster by combining (on the server end) multiple JavaScript files into a single request.

However, to make "load-scripts.php" work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.

Depending upon the plugins and modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the "load" parameter, separated by a comma, like in the following URL:

While loading the website, the 'load-scripts.php' (mentioned in the head of the page) tries to find each JavaScript file name given in the URL, append their content into a single file and then send back it to the user's web browser.

How WordPress DoS Attack Works

According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the above URL, making the targeted website slightly slow by consuming high CPU and server memory.

"There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user," Tawily says.

Although a single request would not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible and bring it down.

The Hacker News has verified the authenticity of the DoS exploit that successfully took down one of our demo WordPress websites running on a medium-sized VPS server.

"It is time to mention again that load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn't respond at all any more, or returned 502/503/504 status code errors," Tawily says.

However, attack from a single machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power and memory.

But that doesn't mean the flaw is not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets and bandwidth to achieve the same goal—to take down a site.

So attackers with more bandwidth or a few bots can exploit this flaw to target big and popular WordPress websites as well.

No Patch Available – Mitigation Guide

Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.

Knowing that DoS vulnerabilities are out-of-scope from the WordPress bug bounty program, Tawily responsibly reported this DoS vulnerability to the WordPress team through HackerOne platform.

However, the company refused to acknowledge the issue, saying that this kind of bug "should really get mitigated at the server end or network level rather than the application level," which is outside of WordPress's control.

The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers and making them unavailable for their legitimate users.

For websites that can't afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked version of WordPress, which includes mitigation against this vulnerability.

However, I personally wouldn't recommend users to install modified CMS, even if it is from a trusted source other than the original author.

Besides this, the researcher has also released a simple bash script that fixes the issue, in case you have already installed WordPress.

The U.S. federal officials have arrested three hackers who have pleaded guilty to computer-crimes charges for creating and distributing Mirai botnet that crippled some of the world's biggest and most popular websites by launching the massive DDoS attacks last year.

According to the federal court documents unsealed Tuesday, Paras Jha (21-year-old from New Jersey), Josiah White (20-year-old Washington) and Dalton Norman (21-year-old from Louisiana) were indicted by an Alaska court last week on multiple charges for their role in massive cyber attacks conducted using Mirai botnet.

Mirai is a piece of nasty IoT malware that scans for insecure routers, cameras, DVRs, and other Internet of Things devices which are still using their default passwords and then add them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure.

According to his plea agreement, Jha "conspired to conduct DDoS attacks against websites and web hosting companies located in the United States and abroad" by ensnaring over 300,000 IoT devices. He also demanded payment "in exchange for halting the attack."

Between September and October 2016, Jha advertised Mirai botnet on multiple dark web forums using the online monikers "Anna Senpai." He also admitted to securely wiping off the virtual machine used to run Mirai on his device and then posting the source code of Mirai online for free.

Since then, other cybercriminals have used the open-source code of the botnet to create their own Mirai variants in a variety of different cyber attacks against their targets.

Paras Jha (a.k.a Anna Senpai) and his business partner Josiah White (a.k.a Lightspeed and thegenius) are the same people who were outed by blogger Brian Krebs earlier this year after his blog was also knocked offline by a massive 620 Gbps of DDoS attack using Mirai botnet.

According to Jha’s LinkedIn profile, he is a 21-year-old passionate programmer from Fanwood, U.S., who knows how to code in multiple programming languages and is positioned as president of a DDoS mitigation firm, ProTraf Solutions.

White admitted to creating the Mirai botnet's scanner to identify and hijack vulnerable internet-connected devices to enlist in the botnet, while Norman (a.k.a Drake) admitted to identifying private zero-day vulnerabilities and exploits to build into the massive botnet.

From December 2016 to February 2017, the trio successfully infected more than 100,000 computing devices to form another powerful botnet, called Clickfraud, which was designed to scam online ad networks by simulating clicks on ads for the purpose of artificially generating revenue.

A week after the massive DDoS attack, the source code of Mirai was released on the widely used hacker chat forum Hackforums by Jha who, under the name Anna-senpai, wrote he had "made their money...so it's time to GTFO."

"So today, I have an amazing release for you," he wrote. "With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping."

Once Mirai source code was out, various cyber criminals started exploiting the IoT malware to launch powerful DDoS attacks against websites and Internet infrastructure, one of which was the popular DNS provider Dyn, which was DDoSed by a botnet of an around 100,000 Mirai malware-infected devices.

"The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks." DOJ said in a press release.

The trio faces a sentence of up to five years in prison.

This article has been updated to add comments from and information provided by the U.S. Justice of Department about the three defendants.

Europol has announced that the law enforcement agencies from 13 countries around the globe have arrested 34 users of Netspoof DDoS attack tool and interviewed and warned 101 suspects in a global crackdown.

According to the report published on the official website of Europol, law enforcement authorities worldwide have made the arrest between 5 December and 9 December 2016.

Europol's European Cybercrime Centre (EC3) supported the law enforcement agencies in their efforts to identify suspects in the European Union and beyond.

Arrested Suspects Are Mainly Teenagers

All those arrested are mainly "young adults under the age of 20," who are suspected of paying for Netspoof stresser as well as booters services to maliciously deploy DDoS-for-hire software and using them to launch cyber attacks.

The ddos attacks flooded target websites and web servers with massive amounts of data, leaving those services inaccessible to users.

Europol's European Cybercrime Centre (EC3) head Steven Wilson hopes that the latest arrests would deliver a message to any wannabe hackers, saying:

"Today's generation is closer to technology than ever before, with the potential of exacerbating the threat of cyber crime. Many IT enthusiasts get involved in seemingly low-level fringe cybercrime activities from a young age, unaware of the consequences that such crimes carry."

"One of the key priorities of law enforcement should be to engage with these young people to prevent them from pursuing a criminal path, helping them understand how they can use their skills for a more constructive purpose."

This international operation involved Europol working alongside law enforcement from Australia, Belgium, France, Hungary, the Netherlands, Norway, Lithuania, Spain, Sweden, Portugal, Romania, the United Kingdom, and the United States.

All the participating countries worked together in the framework set out by the EMPACT (European Multidisciplinary Platform against Criminal Threats) – a project with the aim of targeting cyberattacks that affect critical infrastructure and information systems in the EU.

The infamous botnet that was used in the recent massive distributed denial of service (DDoS) attacks against the popular DNS provider Dyn, causing vast internet outage last Friday, itself is flawed.

Yes, Mirai malware, which has already enslaved millions of Internet of Things (IoT) devices across 164 countries, contains several vulnerabilities that might be used against it in order to destroy botnet's DDoS capabilities and mitigate future attacks.

Early October, the developer of the malware publically released the source code of Mirai, which is designed to scan for IoT devices – mostly routers, cameras, and DVRs – that are still using their default passwords and then enslaves them into a botnet, which is then used to launch DDoS attacks.

However, after a close look at the source code, a researcher discovered three vulnerabilities, one of which could be used to shut down Mirai's ability to flood targets with HTTP requests.

A stack buffer overflow vulnerability was found by Scott Tenaglia, a researcher at endpoint security firm Invincea, in the segment of the Mirai's code that carries out HTTP flood attacks.

However, if exploited, the vulnerability could crash the attack process, thereby terminating the attack from that bot (infected IoT device), but leaving that compromised device intact and running.

Tenaglia has publically released the exploit, saying his exploit would not have helped in the recent DNS-based DDoS attack against Dyn that rendered major websites inaccessible, but would also shut down Layer 7 attack capabilities present in Mirai.

"This simple 'exploit' is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to guard against a Mirai-based HTTP flood attack in real time," Tenaglia writes in a blog post. "Although it cannot be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device."

Legal Concerns of Hacking Back:

However, exploiting this vulnerability is to hack back tens of hundreds of IoT devices, which is a controversial and illegit approach and could put defenders in a gray area.

Hacking back involves making changes to systems across various countries without permission from a device's owner, an ISP or its carrier, and Invincea adds a disclaimer on its research, saying it is not advocating a counterattack.

But since the flaw has the capability of thwarting the threat, white-hat vigilante hackers can silently use this vulnerability against the malware and take Mirai-infected devices away from the criminals.

As we have seen numerous court-ordered botnet takedowns in the past, the authorities can get a court order and hack back Mirai-compromised devices in order to shut down the infamous botnets.

The DDoS attack that hit French Internet service and hosting provider OVH with 1.1 Tbps of junk traffic, which is the largest DDoS attack known to date, also came from Mirai bots.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

You might be surprised to know that your security cameras, Internet-connected toasters and refrigerators may have inadvertently participated in the massive cyber attack that broke a large portion of the Internet on Friday.

That's due to massive Distributed Denial of Service (DDoS) attacks against Dyn, a major domain name system (DNS) provider that many sites and services use as their upstream DNS provider for turning IP addresses into human-readable websites.

The result we all know:

Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, were among hundreds of sites and services that were rendered inaccessible to Millions of people worldwide for several hours.

Why and How the Deadliest DDoS Attack Happened

It was reported that the Mirai bots were used in the massive DDoS attacks against DynDNS, but they "were separate and distinct" bots from those used to execute record-breaking DDoS attack against French Internet service and hosting provider OVH.

Here's why: Initially the source code of the Mirai malware was limited to a few number of hackers who were aware of the underground hacking forum where it was released.

But later, the link to the Mirai source code suddenly received a huge promotion from thousands of media websites after it got exclusively publicized by journalist Brian Krebs on his personal blog.

Due to the worldwide news release and promotion, copycat hackers and unprofessional hackers are now creating their own botnet networks by hacking millions of smart devices to launch DDoS attacks, as well as to make money by selling their botnets as DDoS-for-hire service.

Mirai malware is designed to scan for Internet of Things (IoT) devices – mostly routers, security cameras, DVRs or WebIP cameras, Linux servers, and devices running Busybox – that are still using their default passwords. It enslaves vast numbers of these devices into a botnet, which is then used to launch DDoS attacks.

Chinese Firm Admits Its Hacked DVRs and Cameras Were Behind Largest DDoS Attack

More such attacks are expected to happen and will not stop until IoT manufacturers take the security of these Internet-connected devices seriously.

One such IoT electronic manufacturer is Chinese firm Hangzhou Xiongmai Technology which admitted its products – DVRs and internet-connected cameras – inadvertently played a role in the Friday's massive cyber attack against DynDNS.

The Mirai malware can easily be removed from infected devices by rebooting them, but the devices will end up infecting again in a matter of minutes if their owners and manufacturers do not take proper measures to protect them.

What's worse? Some of these devices, which include connected devices from Xiongmai, can not be protected because of hardcoded passwords, and the fact that their makers implemented them in a way that they cannot easily be updated.

"Mirai is a huge disaster for the Internet of Things," the company confirmed to IDG News. "[We] have to admit that our products also suffered from hacker's break-in and illegal use."

The company claimed to have rolled out patches for security vulnerabilities, involving weak default passwords, which allowed the Mirai malware to infect its products and use them to launch massive DDoS attack against DynDNS.

However, Xiongmai products that are running older versions of the firmware are still vulnerable. To tackle this issue, the company has advised its customers to update their product's firmware and change their default credentials.

The electronics components firm would also recall some of its earlier products, specifically webcam models, sold in the US and send customers a patch for products made before April last year, Xiongmai said in a statement on its official microblog.

Hackers are selling IoT-based Botnet capable of 1 Tbps DDoS Attack

Even worse is expected:

The Friday's DDoS attack that knocked down half of the Internet in the U.S. is just the beginning because hackers have started selling access to a huge army of hacked IoT devices designed to launch attacks that are capable of severely disrupting any web service.

Anyone could buy 50,000 bots for $4,600, and 100,000 bots for $7,500, which can be combined to overwhelm targets with data.

Hacker groups have long sold access to botnets as a DDoS weapon for hire – like the infamous Lizard Squad's DDoS attack tool Lizard Stresser – but those botnets largely comprised of compromised vulnerable routers, and not IoT devices like connected cameras, toasters, fridges and kettles (which are now available in bulk).

In a separate disclosure, a hacking group calling itself New World Hackers has also claimed responsibility for the Friday's DDoS attacks, though it is not confirmed yet.

New World Hackers is the same group that briefly knocked the BBC offline last year. The group claimed to be a hacktivist collective with members in China, Russia, and India.

Well, who is behind the Friday's cyber attack is still unclear. The US Department of Homeland Security (DHS) and the FBI are investigating the DDoS attacks hit DynDNS, but none of the agencies yet speculated on who might be behind them.

The DynDNS DDoS attack has already shown the danger of IoT-based botnets, alarming both IoT manufacturers to start caring about implementing security on their products, and end users to start caring about the basic safety of their connected devices.

Jailbreaking your device may have got you the best of apps but after reading this you will know what a high price you could have to pay for the jailbreak.

Read on…

A malware named ‘KeyRaider’ has supposedly stolen user credentials of approximately 225K iPhone users. It has been given this name as it raids victims’ username and passwords, private keys and certificates.

Figures say that KeyRaider malware has affected a large number of users in China and worldwide 17 more countries. Also, the origin of malware is suspected to be in China, as said in investigations conducted by Palo Alto Networks for reporting any suspicious tweaks on iPhones.

Users falling prey to KeyRaider may be the victims of:

Ransomware

Data Theft

DDoS Attacks

Malware is targeting jailbroken phones and when in action, it captures Apple ID of the users and make transactions using it.

The researchers say that it is spreading with the help of Cydia app repositories that are popular among the jailbreakers for eliminating the security of the device and installing third party apps.

Palo Alto says:

“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords, and device GUID by intercepting iTunes traffic on the device."

We found a high concern for cybersecurity tactics and an increased awareness of the challenges that it brings.

This week, we shared lots of stories with our readers, and to help them in identifying the biggest malware threats to their online safety.

We are here with the outline of our last week stories, just in case you missed any of them (ICYMI).

We recommend you read the entire thing (just click ‘Read More’ because there’s some valuable advice in there as well). Here’s the list:

➢ How Hackers Can Hack Your Gmail Accounts?

Getting smarter in their phishing tactics, hackers have found out ways to fool Gmail's tight security system by bypassing its two-step verification.

Hackers are now using text messages and phone-based phishing attacks to circumvent Gmail's security and take over your Gmail accounts. — Read more.

➢ Not Just Windows 10, Windows 7 and 8 Also Spy on You

Laughing at controversial data mining and privacy invasion features within Windows 10? Well, Windows 7 and 8 users should laugh no longer as Windows 10 spying is now headed their way too…

Microsoft has been criticized for installing latest updates onto Windows 7 and Windows 8 computers that indiscriminately upload users’ data to Microsoft's servers, which might be a significant privacy concern for many users.

➢ Six Teenagers Arrested for Using Lizard Squad's DDoS Tool

Six U.K. teenagers were arrested and then released on bail for using Lizard Squad DDoS attack tool and launching cyber attacks on several websites and online retail services.

Lizard Squad DDoS tool, popularly known as Lizard Stresser, was allegedly used for knocking down the largest online gaming networks – PlayStation Network and Xbox Live – last year — Read more.

➢ 26 Android Phone Models Shipped with Pre-Installed Spyware

The latest report from G Data claimed that more than two dozens of Android smartphones from popular handset manufacturers, including Xiaomi, Huawei, and Lenovo, have pre-installed spyware in the firmware that can not be removed without unlocking the phone.

The spyware, disguised as popular Android apps like Facebook and Google Drive, have the capability of listening in to telephone conversations, accessing the Internet, reading contacts, gallery and location data, installing unwanted apps, and many more.

➢ Critical OS X Flaw Grants Mac Keychain Access to Malware

The privilege-escalation bug that was once used to circumvent security protections and install malware on Mac computers has now been upgraded to infect Mac OS X machines even after Apple fixed the issue last month.

The updated version of the same highly questionable Genieo installer is now accessing user's Mac OS X keychain without user's permission. For more details — Read more.

➢ Popular Baby Monitors Are Hackable

Baby monitors made parents’ life a calmed one, as they could see and be with their toddlers while they were away working.

But, recent research showed results where baby monitors from several vendors were at risk of getting breached. US- CERT also alarmed about the flaws in these IoT devices. — Read more.

➢ Government Ruled: FBI to Get Warrant for Spying

The new policy announced Thursday by the US Department of Justice would now force the Federal law agencies to get a legal warrant to spy on cell phone users using "Stingrays" or "IMSI catchers."

Stingrays, which essentially mimic mobile phone tower, has been used by local police and federal authorities for years to track cell phones in countless investigations without obtaining the court order.

However, now under the new policy, the federal agencies will have to present their annual data revealing how many times they have used stingrays. — Read more.

➢ 'AppLock' Android App is Useless

AppLock is present on almost all the Android phone users, after the report by security researchers which depicts practical examples where you can see that you lived under the belief that the app is acting as promised.

But actually, it is lacking in offering essential security features. — Read more.

This came as joy to the software developers, as they can now use Diffy- a comparison based regression analysis tool now open source (that Twitter also uses) to differentiate between the new and the old codes programmer has written and eliminate the bugs in the code. — Read more.

➢ How to Hack Popular Belkin Wi-Fi Routers

This one is a serious issue for you to look upon. As, US-CERT prepared a list of vulnerabilities that tag along with the next generation Belkin routers.

The routers are so vulnerable that several severe cyber attacks like privilege escalation and man-in-the-middle attack are probable to happen.

In the end, the US advisory comes with mitigation procedures that you can follow. — Read more.

Six British teenagers arrested and released on bail on suspicion of launching cyber attacks on websites and services with the help of Lizard Squad DDoS attack tool, called Lizard Stresser.

Lizard Squad is infamous for hacking and knocking down the largest online gaming networks – PlayStation Network and Xbox Live– last year by launching massive Distributed Denial-of-Service (DDoS) attacks.

The notorious hacker group set up a website to let customers use its Lizard-branded DDoS-for-hire tool Lizard Stresser to launch similar DDoS attacks.

The six teens, arrested by the National Crime Agency, are accused of using Lizard Stresser DDoS tool to launch cyber attacks against a school, a national newspaper, gaming companies and a number of online retailers.

However, according to the law enforcement, none of the teenagers are believed to be the member of Lizard Squad, nor had any connection with the last year's Christmas hack against Sony and Microsoft's gaming services.

It is alleged that all the six suspects are accused of buying the DDoS tool using alternative payment services, like Bitcoin.

Regarding the arrests, Tony Adams, senior head of investigations for NCA's National Cyber Crime Unit, said:

By paying a comparatively small fee, tools like Lizard Stresser can cripple businesses financially and deprive people of access to important information and public services.
One of our key priorities is to engage with those on the fringes of cyber criminality, to help them understand the consequences of cyber crime and how they can channel their abilities into productive and lucrative legitimate careers.

The law enforcement didn't name the teenagers, but their age and city they belong to are given below:

An 18-year-old from Huddersfield, West Yorkshire

An 18-year-old from Manchester

A 16-year-old from Northampton

A 15-year-old from Stockport

A 17-year-old from Cardiff

A 17-year-old from Northolt, north-west London

All the six suspects have been bailed while two 18-year-olds from Manchester and Milton Keynes respectively were interviewed under caution.

The company was made aware of the issue early on Tuesday. After investigating the problem, the team discovered that the service was under a new DDoS attack.

The code repository disclosed the new attack on its status page as well as its official Twitter account.

"The connectivity problems have been identified as a DDoS attack. We're working to mitigate now," GitHub status log read early on Tuesday.

The March DDoS attack against GitHub lasted close to a week. At the time, the attackers used malicious JavaScript to hijack Internet traffic from victims worldwide that was redirected to GitHub.

However, the latest attack didn't last too long. Roughly four hours after the company reported the issue, GitHub mitigated the attack and announced that everything was back to normal.

So far, the company hasn't provided more details about the latest attack, beyond posting an overview of attack timeline on GitHub's status page.

GitHub has been the subject of multiple Distributed-Denial-of-Service (DDoS) attacks in its history, but the company said the March DDoS attack was the largest in its history, which was traced back to servers in China.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

China has something very impressive that we are not aware of. The country has a powerful and previously unknown weapon that its government is using to bolster their cyber attack capabilities:

Dubbed "The Great Cannon."

INTERNET CENSORSHIP IN CHINA

When I talk about Internet censorship, it is incomplete if I don't mention China. China is famous for its Great Wall of China and Great Firewall of China. The censoring of Internet access and blocking an individual website in China by its government, known as the Great Firewall of China.

But, why the Chinese government does that? The answer is very simple:

The Chinese government restricts those contents it deems sensitive for its country's so-called democracy. It illegalize certain online speech and activities, block selected websites, and filter keywords out of searches initiated from computers located in Mainland China.

The worse:

Those Chinese citizens who offend authorities against Internet censorship in the country can also face judicial consequences.

GreatFire.org – Anti-censorship tool, hosted on GitHub, used to help Chinese citizens circumvent The Great Firewall Of China.

CN-NYTimes – A group on Github that hosts New York Times mirrors to allow Chinese netizens access to the news website, which is normally blocked in China.

But, how did the Chinese manage to produce DDoS attacks of so much strength and Bandwidth?

Yes, the answer is the "Great Cannon" (GC). Chinese government is now using a new cyber weapon in an effort to silence not only its citizens, but critics around the world, according to the latest report released by Citizen Lab.

THE GREAT CANNON – A NEW POWERFUL WEAPON

What's the Great Cannon?

The Great Cannon is a special cyber attack tool essentially capable of hijacking Internet traffic at the national level and then direct that traffic at targeted networks the attackers want to knock offline, sending back spyware or malware, or using the target to flood another website with traffic.

It is believed that Github's attackers used the Great Cannon as a DDoS attack tool to redirect the Internet traffic of visitors to Chinese search engine giant 'Baidu' or any website that used Baidu’s extensive Advertisement network in order to cripple the popular code-sharing website.

In simple words:

Those visiting a Baidu-affiliated website from anywhere in the world were vulnerable to getting their Internet traffic hijacked by the attackers, which could then be turned into a weapon to flood anti-censorship websites, like GitHub, with too much of junk traffic.

Let’s have a look on how the Great Cannon was deployed in the GitHub and GreatFire.org attacks:

HOW THE GREAT CANNON WORKS?

The Great Cannon works by intercepting data which is sent between two nodes and then redirecting the data to a third one. This powerful cyber weapon seems to leverage an analytic script, which is commonly distributed by the Chinese search engine Baidu.

Now:

Generally this script is not malicious, but according to Citizen Lab, the Cannon's creators tampered with the script code a little bit in order to redirect the user to Github, instead of sending a data packet, thus flooding the target website with traffic from unsuspecting users.

The weapon is also capable of producing a full-fledged man-in-the-middle (MITM) attack, so it could also be used to intercept unencrypted emails.

It makes me remind of:

QUANTUM – an NSA's similar weapon that was capable to redirect victims to fake websites containing malware served through unencrypted sites using Man in the middle attacks to a spoofed server, which can respond faster than the real one that is placed somewhere on the Internet backbone.

These secret Internet backbone nodes, which the National Security Agency, dubbed Quantum nodes.

What's more:

This new move by Chinese government could signal a trouble in China's online behavior – Shifting from the passive censorship of the Great Firewall of China to the active censorship by readily attacking foreign websites with the Great Cannon.

Cyber attacks originating in China are not at all surprising. But...

..."the operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of a [cyber] attack tool to enforce censorship by weaponizing users," the security researchers from the University of Toronto and University of California wrote in a report published Friday.

MEASURES TO MITIGATE THE GREAT CANNON

According to the researchers, the Great Cannon weapon used by Chinese authorities could be neutralized to a great extent if the websites communicate over encrypted HTTPS connections.

Why? The reason:

Those websites whose communications are end-to-end encrypted is difficult to modify for an attacker sitting in between the sender & the receiver, unless and until those websites are not loading files or resources via unencrypted i.e. non-HTTPS connections.